From 1d0016a52ee9c822a890447115f92f1afebf2a31 Mon Sep 17 00:00:00 2001 From: Akpolo Ogagaoghene Prince Date: Mon, 1 Jun 2026 20:42:04 +0100 Subject: [PATCH] fix(ci): use lowercase owner in Trivy image-ref so the staging scan can run The Deploy Staging workflow fails on every push to main at the Trivy scan: FATAL run error: image scan error: ... failed to parse the image name: could not parse reference: ghcr.io/LabsCrypt/remitlend-backend:staging- The images are built and pushed with ${{ env.OWNER_LC }} (lowercase, as OCI requires), but the two Trivy steps referenced the image via ${{ github.repository_owner }}, which is "LabsCrypt" with capitals. OCI image references must be lowercase, so Trivy could not parse the reference and exited 1; the CRITICAL step was then skipped and the upload-sarif step failed with "Path does not exist: trivy-results.sarif". Point both Trivy image-ref values at ${{ env.OWNER_LC }} so they match the pushed tags and the scan can actually run. --- .github/workflows/deploy-staging.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml index 26e9c4f3..1d7027e1 100644 --- a/.github/workflows/deploy-staging.yml +++ b/.github/workflows/deploy-staging.yml @@ -64,7 +64,7 @@ jobs: - name: Run Trivy vulnerability scanner (HIGH - warn) uses: aquasecurity/trivy-action@master with: - image-ref: 'ghcr.io/${{ github.repository_owner }}/remitlend-backend:staging-${{ github.sha }}' + image-ref: 'ghcr.io/${{ env.OWNER_LC }}/remitlend-backend:staging-${{ github.sha }}' format: 'table' severity: 'HIGH' exit-code: '0' @@ -73,7 +73,7 @@ jobs: - name: Run Trivy vulnerability scanner (CRITICAL - fail) uses: aquasecurity/trivy-action@master with: - image-ref: 'ghcr.io/${{ github.repository_owner }}/remitlend-backend:staging-${{ github.sha }}' + image-ref: 'ghcr.io/${{ env.OWNER_LC }}/remitlend-backend:staging-${{ github.sha }}' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL'